Spam detection software, running on the system "mail.securityfocus.com", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that

Dear Richard,
I haven't tried it yet but should be worth trying out. Let me tell you
my understanding of how EFS works. When a user encrypts a file using EFS
for the first time, then a public/private key pair is generated and a
FEK (File Encryption Key) is generated. This FEK is a symmetric key

I believe cracking EFS encrypted files is not going to likely here, unless you were able to somehow recover the deleted user profiles from the wiped version of Windows from the disk, from the domain (if it was joined to a domain) or from a backup. How exactly was the disk "wiped?"

I have a network printer connected to a HP jetdirect module. I need to find
out who printed lately some files. How can I retreive the log files from the
module. Thanks.
--
View this message in context: http://www.nabble.com/jetdirect-log-files-tf2904359.html#a8114092
Sent from the Security - Foren

I have a drive where i need to investigate one encrypted folder full of
equally encrypted files. (XP default type encryption of files/folders)
The original system disk is unavailable due to a wipe, so the key is lost.

Is there any way to rebuild the files to make an investigation possible?

The new 0.2.1 release of CarvFs ( http://ocfa.sourceforge.net/libcarvpath/ )
now comes with a script (scalpelcp) that makes it work in conjunction with
the preview mode ( the -p option) of scalpel. This script can be used to
populate the scalpel output dir with symlinks to the proper carvfs pseudo
f

Hi, since one year I'm working on a framework written in Python to parse any binary file. Some features:
* Autofix: Catch any parser error and fix them as soon as possible
* Lazy: Field value, size, description, absolute address, (...) are computed on demand
* No arbitrary limit on addresses, field

If it were just an iso, you shouldn't have had a problem with the mount. A Windows partition has an offset of 32256 according to the Anti-Hacker Toolkit. You can do the following:
losetup -o 32256 /dev/loop0 /media/test
mount -o -ro /dev/loop0 /media/recovery
ls /media/recovery

On 11/20/06, Brian Carrier <carrier (at) digital-evidence (dot) org [email concealed]> wrote:
> You could use tools such as gpart or testdisk to search the drive for
> file system signatures to determine if there are file systems

This is all done within the registry and not a log file unless some third party synchronization software was used. There are unique descriptors created for each device that lists information like what kind of device it is, number of endpoints, etc.

About a week after I sent my previous response to both you and the
forensics mailing list, I got notification that it wasn't approved for
the forensics list; I have no idea why not. Hopefully you received it,
but it is included below in any case.

I've watched this topic ebb and flow for quite sometime and I've often wondered if anyone has ever taken a test drive, placed a "sensitive" file on it, either a string of ascii or a whole file, overwritten the drive, and tasked another person to find it using currently available open source or comme

The First International Workshop on Spoofing, Digital Forensics and Open Source Tools (SDFOST), in conjunction with ARES-2007 -- The Second International Conference on Availability, Reliability and Security
The conference will be held at the Vienna University of Technology (TU) in Vienna, Austria on